Skip to main content
Log in

Human perspective to anomaly detection for cybersecurity

  • Published:
Journal of Intelligent Information Systems Aims and scope Submit manuscript

Abstract

Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  • Anwar, F., Anwar, Z., et al. (2011). Digital forensics for eucalyptus. In Frontiers of Information Technology (FIT), 2011 (pp. 110–116). IEEE.

  • Cheung, S., Lindqvist, U., Fong, M.W. (2003). Modeling multistep cyber attacks for scenario recognition. In DARPA information survivability conference and exposition, 2003. Proceedings (vol. 1, pp. 284–292). IEEE.

  • Cuppens, F., & Miège, A. (2002). Alert correlation in a cooperative intrusion detection framework. In 2002 IEEE symposium on security and privacy, 2002. Proceedings (pp. 202–215). IEEE.

  • Denning, D.E. (1987). An intrusion-detection model. IEEE Transactions on Software Engineering, SE-13(2), 222–232.

    Article  Google Scholar 

  • Dey, S., Janeja, V.P., Gangopadhyay, A. (2009). Temporal neighborhood discovery through unequal depth binning. In IEEE International Conference on Data Mining (ICDM’09).

  • Dodge Jr, R.C., & Wilson, T. (2003). Network traffic analysis from the cyber defense exercise. In IEEE international conference on systems, man and cybernetics, 2003 (vol. 5, pp. 4317–4321). IEEE.

  • Fanelli, R. (2010). The value of competition. SC Magazine.

  • Kim, S.J., & Hong, S. (2011). Study on the development of early warning model for cyber attack. In 2011 International Conference on Information Science and Applications (ICISA) (pp. 1–8). IEEE.

  • Liu, Z., Wang, C., Chen, S. (2008). Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In International conference on information security and assurance, 2008. ISA 2008 (pp. 214–219). IEEE.

  • Miles, W. (2001). Hack proofing sun solaris 8—protect your solaris network from attack (1st ed., pp. 83–85, 257). New York: Syngress.

  • Namayanja, J.M., & Janeja, V.P. (2013). Discovery of persistent threat structures through temporal and geo-spatial characterization in evolving networks. In IEEE Intelligence and Security Informatics (ISI).

  • Nguyen, H.D., Gutta, S., Cheng, Q. (2010). An active distributed approach for cyber attack detection. In 2010 conference record of the forty fourth asilomar conference on signals, systems and computers (ASILOMAR) (pp. 1540–1544). IEEE.

  • Ning, P., Cui, Y., Reeves, D.S., Xu, D. (2004). Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security (TISSEC), 7(2), 274–318.

    Article  Google Scholar 

  • Orebaugh, A.D., Biles, S., Babbin, J. (2005). Snort cookbook. O’Reilly Media, Inc.

  • Rehman, R.U. (2003). Intrusion detection systems with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall PTR.

  • Roesch, M., & Green, C. (2003). Snort users manual 2.9.3. (pp. 1–2, 179–180).

  • Sangster, B., O’Connor, T.J., Cook, T., Fanelli, R., Dean, E., Adams, W.J., Morrell, C., Conti, G. (2009). Toward instrumenting network warfare competitions to generate labeled datasets. In Proceedings of the 2nd conference on cyber security experimentation and test (pp. 9–9). USENIX Association.

  • Snort (software) (2013). Wikipedia.com ID: 551979534.

  • Valdes, A., & Skinner, K. (2001). Probabilistic alert correlation. In Recent advances in intrusion detection (pp. 54–68). Springer.

  • Youssef, A., & Emam, A. (2012). Network intrusion detection using data mining and network behaviour analysis. International Journal of Computer Science & Information Technology, 3.6, 87–98.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Vandana P. Janeja.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chen, S., Janeja, V.P. Human perspective to anomaly detection for cybersecurity. J Intell Inf Syst 42, 133–153 (2014). https://doi.org/10.1007/s10844-013-0266-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10844-013-0266-3

Keywords

Navigation